I have a few basic questions about the attack here:
- Do you have multiple connections from the same IP addresses making malicious accesses to your mail server or is each IP address unique?
Not really at this point, I set the threshold on SmarterMail to 1 failed attempt and it blocks
If SMTP AUTH failures I keep those as single IP blocks for 9 years on smartermail, if IMAP failures, I extract the ASN details and if it's a country and/or provider that I know I will never communicate with, then I block every IP under their ASN on the firewall.
I am trying to automate the email notification I get when it's IMAP, extract the IP, check against the ASN, import all IPs under the ASN into a text file and then import into the firewall as a block rule.
- Are there certain countries from which the attacks are particularly common, such as China, Vietnam, Russia, Romania, Amsterdam, etc.?
Everywhere, including the US
- Are there any commonalities between the attackers, for example the ASN of the IP addresses, that indicate that certain networks of providers are particularly frequently abused for this purpose?
Not really, although a lot in Asia and Africa and South America, some large providers like Digital Ocean who have networks across many countries, it's so easy to spin up a droplet and from there use as an attack drone
- Which lists in pfBlockerNG do you use?
PR1 thru PR4, SCANNERS and TOR
- Did you also work with GeoIP under the IPv4 tab in pfBlockerNG and create a native alias with which you can block certain attacking countries?
GeoIP only set to Top Spammers
- Did you make advanced rules for ports 25, 443, 465, 587, 993, 995 etc. in the pfSense firewall rules where you limit the source IP and the maximum number of reestablished connections?
Not at the moment, I will have to test it, do you have a recommendation on settings or example for me to look at?
One thing I am noticing is an uptick in attacks from IPv6 networks